Support draft-directory-04 with sf-dictionary signature-agent

This commits adds support for sf-dioctionary headers in
http-message-sig, and paired signature-agent as a dictionary format.

This is made to be backward compatible: old test vectors still pass.

The implementation of sf-dictionary is primitive, and likely does not
pass all tests for [RFC 8941](https://www.rfc-editor.org/rfc/rfc8941.html).

This is acceptable for now. We _could_ publish this as an alpha.

The new test vectors are added in
thibmeu/http-message-signatures-directory#79,
and have a corresponding json
[web_bot_auth_architecture_v2.json](./packages/web-bot-auth/test/test_data/web_bot_auth_architecture_v2.json).
They can be imported by other implementations.

Author: thibmeu

packages/http-message-sig/src/build.ts

@@ -1,4 +1,27 @@
-import { Component, Parameters, RequestLike, ResponseLike } from "./types";
+import {
+  Component,
+  Parameters,
+  RequestLike,
+  ResponseLike,
+  StructuredFieldComponent,
+} from "./types";
+
+export function extractStructuredFieldDictionaryHeader(
+  r: RequestLike | ResponseLike,
+  component: StructuredFieldComponent
+): string {
+  const headerValue = extractHeader(r, component.header);
+  if (!headerValue) return headerValue;
+
+  const items = headerValue.split(",").map((item) => item.trim());
+  for (const item of items) {
+    const [key, ...rest] = item.split("=");
+    if (key === component.key) {
+      return rest.join("=").replace(/^"|"$/g, "");
+    }
+  }
+  return "";
+}
 
 export function extractHeader(
   { headers }: RequestLike | ResponseLike,
@@ -74,13 +97,18 @@ export function extractComponent(
   }
 }
 
+const componentToString = (component: Component): string => {
+  if (typeof component === "string") {
+    return `"${component}"`.toLowerCase();
+  }
+  return `"${component.header}";key="${component.key}"`.toLocaleLowerCase();
+};
+
 export function buildSignatureInputString(
   componentNames: Component[],
   parameters: Parameters
 ): string {
-  const components = componentNames
-    .map((name) => `"${name.toLowerCase()}"`)
-    .join(" ");
+  const components = componentNames.map(componentToString).join(" ");
   const values = Object.entries(parameters)
     .map(([parameter, value]) => {
       if (typeof value === "number") return `;${parameter}=${value}`;
@@ -99,10 +127,15 @@ export function buildSignedData(
   signatureInputString: string
 ): string {
   const parts = components.map((component) => {
-    const value = component.startsWith("@")
-      ? extractComponent(request, component)
-      : extractHeader(request, component);
-    return `"${component.toLowerCase()}": ${value}`;
+    let value: string;
+    if (typeof component !== "string") {
+      value = extractStructuredFieldDictionaryHeader(request, component);
+    } else if (component.startsWith("@")) {
+      value = extractComponent(request, component);
+    } else {
+      value = extractHeader(request, component);
+    }
+    return `${componentToString(component)}: ${value}`;
   });
   parts.push(`"@signature-params": ${signatureInputString}`);
   return parts.join("\n");

packages/http-message-sig/src/directory.ts

@@ -20,7 +20,7 @@ export async function directoryResponseHeaders<T1 extends RequestLike>(
 
   // TODO: consider validating the directory structure, and confirm we have one signer per key
 
-  const components: string[] = RESPONSE_COMPONENTS;
+  const components = RESPONSE_COMPONENTS;
 
   const headers = new Map<string, SignatureHeaders>();
 

packages/http-message-sig/src/parse.ts

@@ -1,10 +1,19 @@
-import { Component, HeaderValue, Parameter, Parameters } from "./types";
+import {
+  Component,
+  HeaderValue,
+  Parameter,
+  Parameters,
+  StructuredFieldComponent,
+} from "./types";
 import { decode as base64Decode } from "./base64";
 
 function parseEntry(
   headerName: string,
   entry: string
-): [string, string | number | true | (string | number)[]] {
+): [
+  string,
+  string | number | true | (string | number | StructuredFieldComponent)[],
+] {
   // this is wrong. it should only split the first `=`
   const equalsIndex = entry.indexOf("=");
   if (equalsIndex === -1) {
@@ -19,19 +28,34 @@ function parseEntry(
   if (value.match(/^".*"$/)) return [key.trim(), value.slice(1, -1)];
   if (value.match(/^\d+$/)) return [key.trim(), parseInt(value)];
 
+  // TODO: this is restricted to components array. Per RFC9421, there could be more
   if (value.match(/^\(.*\)$/)) {
-    const arr = value
-      .slice(1, -1)
-      .split(/\s+/)
-      .map((entry) => entry.match(/^"(.*)"$/)?.[1] ?? parseInt(entry));
+    const arr = value.slice(1, -1).split(/\s+/);
+
+    const res = [];
+    for (const item of arr) {
+      const match = item.match(/^"(.*)"$/);
+      let toPush;
+      if (!match) {
+        toPush = parseInt(item);
+      } else if (match[1].includes('";key="')) {
+        toPush = {
+          key: match[1].split('";key="')[1],
+          header: match[1].split('";key="')[0],
+        };
+      } else {
+        toPush = match[1];
+      }
+      res.push(toPush);
+    }
 
-    if (arr.some((value) => typeof value === "number" && isNaN(value))) {
+    if (res.some((value) => typeof value === "number" && isNaN(value))) {
       throw new Error(
         `Invalid ${headerName} header. Invalid value ${key}=${value}`
       );
     }
 
-    return [key.trim(), arr];
+    return [key.trim(), res];
   }
 
   throw new Error(
@@ -43,27 +67,20 @@ function parseParametersHeader(
   name: string,
   header: HeaderValue
 ): { key: string; components: Component[]; parameters: Parameters } {
-  const entries = header
-    .toString()
+  const rawHeader = header.toString();
+  const [rawComponents, rawParameters] = rawHeader.split(/(?<=\))/, 2);
+  const [key, components] = parseEntry(name, rawComponents.trim()) as [
+    string,
+    Component[],
+  ];
+
+  const entries = rawParameters
     // eslint-disable-next-line security/detect-unsafe-regex
     .match(/(?:[^;"]+|"[^"]+")+/g)
     ?.map((entry) => parseEntry(name, entry.trim()));
 
   if (!entries) throw new Error(`Invalid ${name} header. Invalid value`);
 
-  const componentsIndex = entries.findIndex(([, value]) =>
-    Array.isArray(value)
-  );
-  if (componentsIndex === -1)
-    throw new Error(`Invalid ${name} header. Missing components`);
-  const [[key, components]] = entries.splice(componentsIndex, 1) as [
-    [string, Component[]],
-  ];
-
-  if (entries.some(([, value]) => Array.isArray(value))) {
-    throw new Error(`Multiple signatures is not supported`);
-  }
-
   const parameters = Object.fromEntries(entries) as Record<
     Parameter,
     string | number | Date

packages/http-message-sig/src/types.ts

@@ -56,6 +56,11 @@ export type Parameter =
   | "keyid"
   | string;
 
+export interface StructuredFieldComponent {
+  header: string;
+  key: string;
+}
+
 export type Component =
   | "@method"
   | "@target-uri"
@@ -67,7 +72,8 @@ export type Component =
   | "@query-param"
   | "@status"
   | "@request-response"
-  | string;
+  | string
+  | StructuredFieldComponent;
 
 interface StandardParameters {
   expires?: Date;

packages/http-message-sig/test/build.spec.ts

@@ -209,6 +209,8 @@ describe("build", () => {
         "Content-Type": "application/json",
         Digest: "SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=",
         "Content-Length": "18",
+        "Test-Structured-Field":
+          'one-key="random", test-key="test-value", another-key=42',
       },
     };
 
@@ -238,6 +240,21 @@ describe("build", () => {
       );
     });
 
+    it("constructs structured-field dictionary example", () => {
+      const components: Component[] = [
+        { header: "Test-Structured-Field", key: "test-key" },
+      ];
+      const data = buildSignedData(
+        testRequest,
+        components,
+        '("test-structured-field";key="test-key");created=1618884475;keyid="test-key-rsa-pss"'
+      );
+      expect(data).to.equal(
+        '"test-structured-field";key="test-key": test-value\n' +
+          '"@signature-params": ("test-structured-field";key="test-key");created=1618884475;keyid="test-key-rsa-pss"'
+      );
+    });
+
     it("constructs full example", () => {
       const components: Component[] = [
         "Date",

packages/web-bot-auth/package.json

@@ -23,7 +23,7 @@
   },
   "scripts": {
     "build": "tsup src/index.ts src/crypto.ts --format cjs,esm --dts --clean",
-    "generate-test-vectors": "node --experimental-transform-types scripts/test-vectors.ts test/test_data/web_bot_auth_architecture_v1.json",
+    "generate-test-vectors": "npm run build && node --experimental-transform-types scripts/test-vectors.ts test/test_data/web_bot_auth_architecture_v2.json",
     "prepublishOnly": "npm run build",
     "test": "vitest",
     "watch": "npm run build -- --watch src"

packages/web-bot-auth/scripts/test-vectors.ts

@@ -3,9 +3,11 @@
 ///
 /// It takes one positional argument: [path] which is where the vectors should be written in JSON
 
-const { generateNonce, signatureHeaders } = await import("../src/index.ts");
+const { generateNonce, recommendedComponents, signatureHeaders } = await import(
+  "../dist/index.mjs"
+);
 
-const { signerFromJWK } = await import("../src/crypto.ts");
+const { signerFromJWK } = await import("../dist/crypto.mjs");
 
 const fs = await import("fs");
 
@@ -22,18 +24,20 @@ interface TestVector {
   signature: string;
   signature_input: string;
   signature_agent?: string;
+  signature_agent_key?: string;
 }
 
 async function generateTestVectors(jwk: JsonWebKey): Promise<TestVector[]> {
   const now = new Date("2025-01-01T00:00:00Z");
   const created = now;
-  const expires = new Date(now.getTime() + 3_600_000);
+  const expires = new Date(now.getTime() + 3_153_600_000_000);
   const signer = await signerFromJWK(jwk);
 
   const nonce = generateNonce();
   const label = "sig1";
   let request = new Request(ORIGIN_URL);
   const signedHeaders = await signatureHeaders(request, signer, {
+    components: recommendedComponents(),
     created,
     expires,
     nonce,
@@ -42,10 +46,14 @@ async function generateTestVectors(jwk: JsonWebKey): Promise<TestVector[]> {
 
   const nonceWithAgent = generateNonce();
   const labelWithAgent = "sig2";
+  const signatureAgentKey = "agent2";
   request = new Request(ORIGIN_URL, {
-    headers: { "Signature-Agent": JSON.stringify(SIGNATURE_AGENT_HEADER) },
+    headers: {
+      "Signature-Agent": `${signatureAgentKey}="${SIGNATURE_AGENT_HEADER}"`,
+    },
   });
   const signedHeadersWithAgent = await signatureHeaders(request, signer, {
+    components: recommendedComponents(signatureAgentKey),
     created,
     expires,
     nonce: nonceWithAgent,
@@ -73,6 +81,7 @@ async function generateTestVectors(jwk: JsonWebKey): Promise<TestVector[]> {
       signature: signedHeadersWithAgent["Signature"],
       signature_input: signedHeadersWithAgent["Signature-Input"],
       signature_agent: request.headers.get("Signature-Agent"),
+      signature_agent_key: signatureAgentKey,
     },
   ];
 }

packages/web-bot-auth/src/index.ts

@@ -18,21 +18,14 @@ export { helpers } from "./crypto";
 
 export const HTTP_MESSAGE_SIGNAGURE_TAG = "web-bot-auth";
 export const SIGNATURE_AGENT_HEADER = "signature-agent";
-export const REQUEST_COMPONENTS_WITHOUT_SIGNATURE_AGENT: httpsig.Component[] = [
-  "@authority",
-];
-export const REQUEST_COMPONENTS: httpsig.Component[] = [
-  "@authority",
-  SIGNATURE_AGENT_HEADER,
-];
 export const NONCE_LENGTH_IN_BYTES = 64;
 
 export interface SignatureParams {
+  components: httpsig.Component[];
   created: Date;
   expires: Date;
   nonce?: string;
   key?: string;
-  components?: httpsig.Component[];
 }
 
 export interface VerificationParams {
@@ -57,6 +50,18 @@ export function validateNonce(nonce: string): boolean {
   }
 }
 
+export function recommendedComponents(
+  signatureAgentKey?: string
+): httpsig.Component[] {
+  if (signatureAgentKey) {
+    return [
+      "@authority",
+      { header: SIGNATURE_AGENT_HEADER, key: signatureAgentKey },
+    ];
+  }
+  return ["@authority"];
+}
+
 function getSigningOptions<
   T extends httpsig.RequestLike | httpsig.ResponseLike,
 >(
@@ -76,25 +81,21 @@ function getSigningOptions<
     }
   }
   const signatureAgent = httpsig.extractHeader(message, SIGNATURE_AGENT_HEADER);
-  let components: string[];
-  if (!params.components) {
-    // `extractHeader` returns "" instead of throwing or null when the header does not exist
-    if (!signatureAgent) {
-      components = REQUEST_COMPONENTS_WITHOUT_SIGNATURE_AGENT;
-    } else {
-      components = REQUEST_COMPONENTS;
-    }
-  } else {
-    if (signatureAgent && components.indexOf("SIGNATURE_AGENT_HEADER") === -1) {
-      throw new Error(
-        `${SIGNATURE_AGENT_HEADER} is required in params.component when included as a header param`
-      );
-    }
-    components = params.components;
+  if (
+    signatureAgent &&
+    !params.components.find(
+      (c) =>
+        (typeof c !== "string" && c.header === SIGNATURE_AGENT_HEADER) ||
+        c === SIGNATURE_AGENT_HEADER
+    )
+  ) {
+    throw new Error(
+      `${SIGNATURE_AGENT_HEADER} is required in params.component when included as a header param`
+    );
   }
 
   return {
-    components,
+    components: params.components,
     created: params.created,
     expires: params.expires,
     nonce,